WikiLeaks Document Release 

http: / /wikileaks.org/wiki/CRS-RL31408 
February 2, 2009 

Congressional Research Service 
Report RL31408 

Internet Privacy: Overview and Legislation in the 109th 

Congress, 1st Session 

Marcia S. Smith, Resources, Science and Industry Division 
January 26, 2006 

Abstract. This report provides an overview of Internet privacy-related issues and related laws passed in 
previous Congresses, and discusses legislative activity in the first session of the 109th Congress. Background 
information on Internet privacy issues is available in CRS Report RL30784, Internet Privacy: An Analysis of 
Technology and Policy Issues, by Marcia Smith; and CRS Report RL31289, The Internet and the USA PATRIOT 
Act: Potential Implications for Electronic Privacy, Security, Commerce, and Government, by Marcia Smith, et al. 



http://wikileaks.org/wiki/CRS-RL31408 



Order Code RL31408 



CRS Report for Congress 

Received through the CRS Web 



Internet Privacy: Overview 
and Legislation in the 109 th Congress, 1 st Session 



Updated January 26, 2006 



Marcia S. Smith 

Specialist in Aerospace and Telecommunications Policy 
Resources, Science, and Industry Division 



Congressional Research Service ❖ The Library of Congress 





http://wikileaks.org/wiki/CRS-RL31408 



Internet Privacy: Overview and Legislation in the 109 th 

Congress, 1 st Session 



Summary 

Internet privacy issues encompass several types of concerns. One is the 
collection of personally identifiable information (PH) by website operators from 
visitors to government and commercial websites, or by software that is surreptitiously 
installed on a user’s computer (“spyware”) and transmits the information to someone 
else. Another is the monitoring of electronic mail and Web usage by the government 
or law enforcement officials, employers, or email service providers. 

The September 11, 2001 terrorist attacks intensified debate over the issue of 
monitoring by the government and law enforcement officials, with some advocating 
increased tools to help them track down terrorists, and others cautioning that 
fundamental tenets of democracy, such as privacy, not be endangered in that pursuit. 
Congress passed the 2001 USA PATRIOT Act (P.L. 107-56) that, inter alia, makes 
it easier for law enforcement officials to monitor Internet activities. That act was 
amended by the Homeland Security Act (P.L. 107-296), loosening restrictions as to 
when, and to whom, Internet Service Providers may voluntarily release the content 
of communications if they believe there is a danger of death or injury. Some 
provisions of the USA PATRIOT Act, including two that relate to Internet use, would 
have expired on December 3 1 , 2005 . Congress passed a brief extension (to February 
3,2006) in P.L. 109-160. Debate over whether civil liberties protections need to be 
added if the provisions are to be made permanent is expected to continue in the 
second session of the 109 th Congress. Revelations that President Bush directed the 
National Security Agency to monitor some communications, including e-mails, in the 
United States without warrants may affect those deliberations. 

The debate over website information policies concerns whether industry self 
regulation or legislation is the best approach to protecting consumer privacy. 
Congress has considered legislation that would require commercial website operators 
to follow certain fair information practices, but the only law that has been enacted 
(COPPA, P.L. 105-277) concerns the privacy of children under 13, not the general 
public. Legislation has passed regarding information practices for federal 
government websites, including the E-Government Act (P.L. 107-347). 

The growing controversy about how to protect computer users from “spyware” 
without creating unintended consequences is discussed briefly in this report, but in 
more detail in CRS Report RL32706. Another issue, identity theft, is not an Internet 
privacy issue per se, but is often debated in the context of whether the Internet makes 
identity theft more prevalent. For example, Internet-based practices called 
“phishing” and “pharming” may contribute to identity theft. Identity theft is briefly 
discussed in this report; more information is available in CRS Report RS22082, 
CRS Report RL31919, and CRS Report RL32535. Wireless privacy issues are 
discussed in CRS Report RL31636. 

This is the final edition of this report. It provides an overview of Internet 
privacy issues and related laws passed in previous Congresses, and discusses 
legislative activity in the first session of the 109 th Congress. 




http://wikileaks.org/wiki/CRS-RL31408 



Contents 



Introduction 1 

Internet: Commercial Website Practices 1 

Children’s Online Privacy Protection Act (COPPA), P.L. 105-277 2 

FTC Activities and Fair Information Practices 3 

Advocates of Self Regulation 3 

Advocates of Legislation 4 

Congressional Action 5 

Internet: Federal Government Website Information Practices 5 

Monitoring of E-mail and Web Usage 6 

By Government and Law Enforcement Officials 6 

The USA PATRIOT Act 7 

The 9/1 1 Commission Report, and Creation of the Privacy and 

Civil Liberties Oversight Board 9 

Government Access to Search Engine Data (e.g. Google) 10 

By Employers 11 

By E-Mail Service Providers: The “Councilman Case” 11 

Spyware 13 

Identity Theft (Including Phishing and Pharming) 14 

Identity Theft Statistics 14 

“Phishing” and “Pharming” 15 

Existing Laws 16 

Legislation in the 109 th Congress, 1 st Session 18 

Summary of Internet Privacy-Related Legislation in the 109 th Congress, 1 st 

Session 19 

Appendix A. Internet Privacy-Related Legislation Passed by the 108 th 

Congress 25 

Appendix B. Internet Privacy- Related Legislation Passed by the 107 th 

Congress 25 

List of Tables 

Table 1. Bills Introduced in the 109 th Congress, 1 st Session 19 




http://wikileaks.org/wiki/CRS-RL31408 



Internet Privacy: Overview 
and Legislation in the 109 th Congress, 1 st 

Session 



Introduction 

Internet privacy issues encompass several concerns. One is the collection of 
personally identifiable information (PH) by website operators from visitors to 
government and commercial websites, or by software that is surreptitiously installed 
on a user’s computer (“spyware”) and transmits the information to someone else. 
Another is the monitoring of electronic mail and Web usage by the government or 
law enforcement officials, employers, or e-mail service providers. Another issue, 
identity theft, is not an Internet privacy issue per se, but is often debated in the 
context of whether the Internet makes identity theft more prevalent. For example, 
Internet-based practices called “phishing” and “pharming” may contribute to identity 
theft. 



This report provides an overview of Internet privacy-related issues and related 
laws passed in previous Congresses, and discusses legislative activity in the first 
session of the 109 th Congress. Background information on Internet privacy issues 
is available in an archived CRS Report RL30784, Internet Privacy: An Analysis of 
Technology and Policy Issues , by Marcia Smith (available from author); and CRS 
Report RL31289, The Internet and the USA PATRIOT Act: Potential Implications 
for Electronic Privacy, Security, Commerce, and Government, by Marcia Smith, et 
al. 



Internet: Commercial Website Practices 

One aspect of the Internet (“online”) privacy debate focuses on whether industry 
self regulation or legislation is the best route to assure consumer privacy protection. 
In particular, consumers appear concerned about the extent to which website 
operators collect “personally identifiable information” (PH) and share that data with 
third parties without their knowledge. Although many in Congress and the Clinton 
Administration preferred industry self regulation, the 105 th Congress passed 
legislation (COPPA, see below) to protect the privacy of children under 13 as they 
use commercial websites. Many bills have been introduced since that time regarding 
protection of those not covered by COPPA, but the only legislation that has passed 
concerns federal government, not commercial, websites. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-2 



Children’s Online Privacy Protection Act (COPPA), 

P.L. 105-277 

Congress, the Clinton Administration, and the Federal Trade Commission (FTC) 
initially focused their attention on protecting the privacy of children under 13 as they 
visit commercial websites. Not only are there concerns about information children 
might divulge about themselves, but also about their parents. The result was the 
Children’s Online Privacy Protection Act (COPPA), Title XIII of Division C of the 
FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act, 
P.L. 105-277. 1 The FTC’s final rule implementing the law became effective April 
21, 2000 [http://www.ftc.gov/os/1999/10/64fr59888.htm]. Commercial websites and 
online services directed to children under 13, or that knowingly collect information 
from them, must inform parents of their information practices and obtain verifiable 
parental consent before collecting, using, or disclosing personal information from 
children. The Commission adopted a “sliding scale” for complying with the 
verifiable consent requirement depending on how the data would be used. That is, 
if the information was for internal use only, the verifiable consent could be obtained 
from the parent by e-mail, plus an additional step to ensure the person giving consent 
is, in fact, the parent. If the website operator planned to disclose the information 
publicly or to third parties, a higher standard was set. This sliding scale was set to 
expire in 2002 with the expectation that better verification technologies would 
become available. However, in 2002, the FTC determined that such technologies 
still were not available, and the sliding scale was extended to April 12, 2005. In 
2005, the Commission extended it again, and is seeking public comment on how to 
proceed, as part of its overall review of the COPPA rule. 2 

The law also provides for industry groups or others to develop self-regulatory 
“safe harbor” guidelines that, if approved by the FTC, can be used by websites to 
comply with the law. The FTC approved self-regulatory guidelines proposed by the 
Better Business Bureau on January 26, 2001 . On June 11, 2003, then-FTC Chairman 
Timothy Muris stated in testimony to the Senate Commerce Committee that the FTC 
had brought eight COPPA cases, and obtained agreements requiring payment of civil 
penalties totaling more than $350,000. 3 

As required by COPPA, on April 21, 2005, the Commission issued a request for 
public comment on its final rule, five years after the rule’ s effective date. 4 Comments 
were requested on the costs and benefits of the rule; whether it should be retained, 



1 COPPA should not be confused with COPA — the Child Online Protection Act — which 
addresses protecting children from unsuitable material, such as pornography, on the Internet . 
COPA is discussed in CRS Report RS21328, Internet: Status of Legislative Attempts to 
Protect Children from Unsuitable Material on the Web , by Marcia S. Smith. 

2 “ptc Seeks Public Comment on Children’s Online Privacy Rule.” FTC press release, 
April 21, 2005. See [http://www.ftc.gov/opa/2005/04/coppacomments.htm]. (Hereafter 
cited as FTC Seeks Public Comment on Children ’s Online Privacy Rule.) 

3 Prepared statement of Timothy Muris, Chairman, Federal Trade Commission, p. 10, 
available at [http://commerce.senate.go v/hearings/witnesslist.cfm?id=807] . 

4 FTC Seeks Public Comment on Children ’s Online Privacy Rule. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-3 



eliminated, or modified; and its effect on practices relating to the collection of 
information relating to children, children’s ability to access information of their 
choice online, and the availability of websites directed to children. 

FTC Activities and Fair Information Practices 

The FTC conducted or sponsored several surveys between 1997 and 2000 to 
determine the extent to which commercial website operators abided by four fair 
information practices — providing notice to users of their information practices 
before collecting personal information, allowing users choice as to whether and how 
personal information is used, allowing users access to data collected and the ability 
to contest its accuracy, and ensuring security of the information from unauthorized 
use. Some include enforcement as a fifth fair information practice. Regarding 
choice, the term “opt-in” refers to a requirement that a consumer give affirmative 
consent to an information practice, while “opt-out” means that permission is 
assumed unless the consumer indicates otherwise. See archived CRS Report 
RL30784, Internet Privacy: An Analysis of Technology and Policy Issues , by Marcia 
Smith (available from author), for more information on the FTC surveys and fair 
information practices. The FTC’s reports are available on its website 
[http://www.ftc.gov] . 

Briefly, the first two FTC surveys (December 1997 and June 1998) created 
concern about the information practices of websites directed at children and led to 
the enactment of COPPA (see above). The FTC continued monitoring websites to 
determine if legislation was needed for those not covered by COPPA. In 1999, the 
FTC concluded that more legislation was not needed at that time because of 
indications of progress by industry at self-regulation, including creation of “seal” 
programs (see below) and by two surveys conducted by Georgetown University. 
However, in May 2000, the FTC changed its mind following another survey that 
found only 20% of randomly visited websites and 42% of the 100 most popular 
websites had implemented all four fair information practices. The FTC voted to 
recommend that Congress pass legislation requiring websites to adhere to the four 
fair information practices, but the 3-2 vote indicated division within the Commission. 
On October 4, 2001 , Timothy Muris, who had recently become FTC Chairman, stated 
that he did not see a need for additional legislation at that time. (Mr. Muris was 
succeeded as FTC Chairman on August 16, 2004 by Deborah Platt Majoras.) 

Advocates of Self Regulation 

In 1998, members of the online industry formed the Online Privacy Alliance 
(OPA) to encourage industry self regulation. OPA developed a set of privacy 
guidelines, and its members are required to adopt and implement posted privacy 
policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust have 
established “seals” for websites. To display a seal from one of those organizations, 
a website operator must agree to abide by certain privacy principles (some of which 
are based on the OPA guidelines), a complaint resolution process, and to being 
monitored for compliance. Advocates of self regulation argue that these seal 
programs demonstrate industry’s ability to police itself. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-4 



Technological solutions also are being offered. P3P (Platform for Privacy 
Preferences) is one such technology. It essentially creates machine -readable privacy 
policies through which users can match their privacy preferences with the privacy 
policies of the websites they visit. One concern is that P3P requires companies to 
produce shortened versions of their privacy policies, which could raise issues of 
whether the shortened policies are legally binding, since they may omit nuances and 
“sacrifice accuracy for brevity.” 5 For more information on P3P, see 
[http://www.w3.org/P3P/] . 

Advocates of Legislation 

Consumer, privacy rights and other interest groups believe self regulation is 
insufficient. They argue that the seal programs do not carry the weight of law, and 
that while a site may disclose its privacy policy, that does not necessarily equate to 
having a policy that protects privacy. The Center for Democracy and Technology 
(CDT, at [http://www.cdt.org]) and the Electronic Privacy In formation Center 
(EPIC, at [http://www.epic.org]) each released reports on this topic. EPIC’s most 
recent report, Privacy Self Regulation: A Decade of Disappointment, argues that the 
National Do Not Call list, which restricts telemarketing phone calls, demonstrates 
that government regulation can be more effective than industry self regulation. 
Calling telemarketing a 20 th century problem, the report concludes that the FTC has 
given self regulation a decade to work in the Internet privacy arena, and it is time for 
the agency “to apply the lessons from telemarketing and other efforts to address the 
21 st century [sic] problem of Internet privacy.” 6 

Some privacy interest groups, such as EPIC, also feel that P3P is insufficient, 
arguing that it is too complex and confusing and fails to address many privacy 
issues. An EPIC report from June 2000 further explains its findings 
[http://www.epic.org/reports/prettypoorprivacy.html]. 

Privacy advocates have been particularly concerned about online profiling, 
where companies collect data about what websites are visited by a particular user and 
develop profiles of that user’s preferences and interests for targeted advertising. 
Following a one-day workshop on online profiling, FTC issued a two-part report in 
the summer of 2000 that also heralded the announcement by a group of companies 
that collect such data, the Network Advertising Initiative (NAI), of self-regulatory 
principles. At that time, the FTC nonetheless called on Congress to enact legislation 
to ensure consumer privacy vis a vis online profiling because of concern that “bad 
actors” and others might not follow the self-regulatory guidelines. 



5 Clark, Drew. “Tech, Banking Firms Criticize Limitations of Privacy Standard.” 
NationalJournal.com, November 11, 2002. 

6 EPIC. “Privacy Self Regulation: A Decade of Disappointment,” by Chris Jay Hoofnagle. 
March 4, 2005. [http://www.epic.org/reports/decadedisappoint.pdf], p. 5. 





http://wikileaks.org/wiki/CRS-RL31408 



CRS-5 



Congressional Action 

Many Internet privacy bills were considered by the 107 th and 108 th Congresses. 
Other than extending an existing prohibition regarding federal websites (see next 
section), none cleared Congress. Several bills were introduced in the first session of 
the 109 th Congress (see table at end of report). 



Internet: Federal Government 
Website Information Practices 

Under a May 1998 directive from President Clinton and a June 1999 Office of 
Management and Budget (OMB) memorandum, federal agencies must ensure that 
their information practices adhere to the 1974 Privacy Act. In June 2000, however, 
the Clinton White House revealed that contractors for the Office of National Drug 
Control Policy (ONDCP) had been using “cookies” (small text files placed on users’ 
computers when they access a particular website) to collect information about those 
using an ONDCP site during an anti-drug campaign. ONDCP was directed to cease 
using cookies, and OMB issued another memorandum reminding agencies to post 
and comply with privacy policies, and detailing the limited circumstances under 
which agencies should collect personal information. A September 5 , 2000 letter from 
OMB to the Department of Commerce further clarified that “persistent' ’cookies, 
which remain on a user’s computer for varying lengths of time (from hours to years), 
are not allowed unless four specific conditions are met. “Session” cookies, which 
expire when the user exits the browser, are permitted. 

At the time, Congress was considering whether commercial websites should be 
required to abide by FTC’s four fair information practices. The incident sparked 
interest in whether federal websites should adhere to the same requirements. In the 
FY2001 Transportation Appropriations Act (P.L. 106-346), Congress prohibited 
funds in the FY2001 Treasury-Postal Appropriations Act from being used to collect, 
review, or create aggregate lists that include PH about an individual’ s access to or use 
of a federal website or enter into agreements with third parties to do so, with 
exceptions. Similar language has been included in subsequent appropriations bills. 
For FY2006, it is Section 832 of the Transportation-Treasury Appropriations Act 
(P.L. 109-115). 

Nonetheless, in December 2005, the Associated Press (AP) reported that a 
privacy advocate, Daniel Brandt, had discovered that the National Security Agency 
(NSA) was using permanent cookies on its website. 7 The AP quoted an NSA 
spokesman as saying that it resulted from a recent software upgrade and the agency 
was not aware that permanent cookies were being set. CINET News. Com reported 
a week later that, based on its own investigation, “dozens” of agencies were setting 



7 Jesdanun, Anick. NSA Inadvertently Uses Banned Data-Tracking “Cookies” At website. 
Associated Press, December 28, 2005, 15:35 (via Factiva). 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-6 



permanent cookies or “web bugs.” 8 The article identified the White House, the Air 
Force, and the Treasury Department as examples, and reported that some of the 
agencies changed their practices after being contacted, and many seemed to have no 
idea that their software was setting cookies. 

Section 646 of the FY2001 Treasury-Postal Appropriations Act (P.L. 106-554) 
required Inspectors General (IGs) to report to Congress on activities by those 
agencies or departments relating to their own collection of PE, or entering into 
agreements with third parties to obtain PII about use of websites. Then-Senator Fred 
Thompson released two reports in April and June 2001 based on the findings of 
agency IGs who discovered unauthorized persistent cookies and other violations of 
government privacy guidelines on several agency websites. An April 2001 GAO 
report (GAO-0 1-424) concluded that most of the 65 sites it reviewed were following 
OMB ’s guidance. 

The E-Govemment Act (P.L. 107-347) sets requirements on government 
agencies regarding how they assure the privacy of personal information in 
government information systems and establish guidelines for privacy policies for 
federal websites. The law requires federal websites to include a privacy notice that 
addresses what information is to be collected, why, its intended use, what notice or 
opportunities for consent are available to individuals regarding what is collected and 
how it is shared, how the information will be secured, and the rights of individuals 
under the 1974 Privacy Act and other relevant laws. It also requires federal agencies 
to translate their website privacy policies into a standardized machine-readable 
format, enabling P3P to work (see above discussion of P3P), for example. 



Monitoring of E-mail and Web Usage 

By Government and Law Enforcement Officials 

Another concern is the extent to which electronic mail (e-mail) exchanges or 
visits to websites may be monitored by law enforcement agencies or employers. In 
the wake of the September 11 terrorist attacks, the debate over law enforcement 
monitoring has intensified. Previously, the issue had focused on the extent to which 
the Federal Bureau of Investigation (FBI), with legal authorization, used a software 
program, called Carnivore (later renamed DCS 1000), to intercept e-mail and monitor 
Web activities of certain suspects. The FBI would install the software on the 
equipment of Internet Service Providers (ISPs). Privacy advocates were concerned 
about whether Carnivore-like systems can differentiate between e-mail and Internet 
usage by a subject of an investigation and similar usage by other people. Technical 
details of the system were not publicly available, meaning that privacy groups were 
unable to independently determine exactly what the system could or could not do, 



8 McCullagh, Declan. Government Web Sites Are Keeping an Eye On You. CINET 
News.com, January 5, 2006. Available on the news.com.com website at 
[http://news.com.eom/Government-i-Web-Tsites-i-are-i-keeping-i-an-i-eye-i-on-i-you/2 100-102 
8_3-6018702.html], Web bugs are very small (i.e., not visible) graphic images placed on 
HTML pages or in e-mails that allow third parties to track user behavior. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-7 



leading to their concerns. Section 305 of the 21 st Century Department of Justice 
Appropriations Authorization Act (P.L. 107-273) required the Justice Department to 
report to Congress at the end of FY2002 and FY2003 on its use of Carnivore/DCS 
1000 or any similar system. EPIC obtained the reports in January 2005 under the 
Freedom of Information Act and placed them on its website. 9 The reports indicate 
that the Justice Department no longer uses Camiv ore/DCS 1000, using commercially 
available software instead. The Justice Department reported that it used commercial 
software to conduct court-ordered electronic surveillance five times in FY2002 and 
eight times in FY2003. 

The USA PATRIOT Act. Following the terrorist attacks, Congress passed the 
Uniting and Strengthening America by Providing Appropriate Tools to Intercept and 
Obstruct Terrorism (USA PATRIOT) Act, P.L. 107-56, which expands law 
enforcement’s ability to monitor Internet activities. Inter alia , the law modifies the 
definitions of “pen registers” and “trap and trace devices” to include devices that 
monitor addressing and routing information for Internet communications. Carnivore- 
like programs may now fit within the new definitions. The Internet privacy-related 
provisions of the USA PATRIOT Act, included as part of Title II, are as follows: 

• Section 210, which expands the scope of subpoenas for records of 
electronic communications to include records commonly associated 
with Internet usage, such as session times and duration. 

• Section 212, which allows ISPs to divulge records or other 
information (but not the contents of communications) pertaining to 
a subscriber if they believe there is immediate danger of death or 
serious physical injury or as otherwise authorized, and requires them 
to divulge such records or information (excluding contents of 
communications) to a governmental entity under certain conditions. 

It also allows an ISP to divulge the contents of communications to 
a law enforcement agency if it reasonably believes that an 
emergency involving immediate danger of death or serious physical 
injury requires disclosure of the information without delay. This 
section was amended by the Cyber Security Enhancement Act 
— see below. 

• Section 216, which adds routing and addressing information (used 
in Internet communications) to dialing information, expanding what 
information a government agency may capture using pen registers 
and trap and trace devices as authorized by a court order, while 
excluding the content of any wire or electronic communications. The 
section also requires law enforcement officials to keep certain 
records when they use their own pen registers or trap and trace 
devices and to provide those records to the court that issued the 
order within 30 days of expiration of the order. To the extent that 
Carnivore-like systems fall with the new definition of pen registers 



9 See [http://www.epic.org/privacy/carnivore/2002_report.pdf], and 
[http://www.epic.org/privacy/carnivore/2003_report.pdf]. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-8 



or trap and trace devices provided in the act, that language would 
increase judicial oversight of the use of such systems. 

• Section 217, which allows a person acting under color of law to 
intercept the wire or electronic communications of a computer 
trespasser transmitted to, through, or from a protected computer 
under certain circumstances, and 

• Section 224, which sets a four-year sunset period for many of the 
Title II provisions. Sections 210 and 216 are excluded from the 
sunset. Sections 212 and 217 are not, and therefore will expire on 
December 31, 2005. As discussed below, Congress is considering 
legislation that would amend this sunset clause, making either more 
or fewer sections subject to it. 

The Cyber Security Enhancement Act, section 225 of the 2002 Homeland 
Security Act (P.L. 107-296), amends section 212 of the USA PATRIOT Act. It 
lowers the threshold for when ISPs may voluntarily divulge the content of 
communications. Now ISPs need only a “good faith” (instead of a “reasonable”) 
belief that there is an emergency involving danger (instead of “immediate” danger) 
of death or serious physical injury. The contents can be disclosed to “a Federal, state, 
or local governmental entity” (instead of a “law enforcement agency”). 

Privacy advocates are especially concerned about the language added by the 
Cyber Security Enhancement Act. EPIC notes, for example, that allowing the 
contents of Internet communications to be disclosed voluntarily to any governmental 
entity not only poses increased risk to personal privacy, but also is a poor security 
strategy. Another concern is that the law does not provide for judicial oversight of 
the use of these procedures. 10 A Senate Judiciary Committee hearing on September 
23, 2004 explored some of these concerns. 

Several House and Senate committees held hearings in the first session of the 
109 lh Congress on various provisions of the USA PATRIOT Act, and more are 
expected in the second session, as Congress debates whether to extend the “sunset 
date,” or expiration date, of several provisions of that act. Under Section 224, a 
number of sections would have expired on December 31, 2005, including Section 
212 and 217. Section 210 and Section 216 are not subject to the sunset clause (i.e., 
they are permanent). 

Several bills were introduced to modify the sunset clause by making temporary 
provisions permanent, by making permanent provisions temporary, or by modifying 
reporting requirements or otherwise enhancing oversight of how the provisions are 
implemented. As December 31, 2005 approached, the issue became very 
contentious. The House passed a permanent extension (i.e., it repealed the sunset 
clause) in H.R. 3199. The Senate, however, passed only a six-month extension (S. 



10 [http://www.epic.org/alert/EPIC_Alert_9-23.html]. See entry under “[3] Homeland 
Security Bill Limits Open Government, and click on hyperlink to EPIC’ s February 26, 2002 
letter to the House Judiciary Committee. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-9 



2 1 67) to allow time for further consideration of concerns by some Senators that more 
civil liberties protections are needed. The House did not agree with the Senate 
action, and amended S. 2167 so that the extension was only for five weeks (through 
February 3, 2006) to ensure that the Congress dealt with the issue early in the second 
session. Debate may be influenced by revelations in December 2005 that President 
George W. Bush directed the National Security Agency to monitor phone calls and 
e-mails in the United States without warrants. (For further information on the debate 
over warrantless searches, see the CRS general distribution memorandum at this CRS 
website: [http://www.crs.gov/products/browse/documents/WD00002.pdf]. 



The 9/1 1 Commission Report, and Creation of the Privacy and Civil 
Liberties Oversight Board. On July 22, 2004, the “9/1 1 Commission” released 
its report on the terrorist attacks. 11 The Commission concluded (pp. 394-395) that 
many of the USA PATRIOT Act provisions appear beneficial, but that “Because of 
concerns regarding the shifting balance of power to the government, we think that a 
full and informed debate on the Patriot Act would be healthy.” The Commission 
recommended that “The burden of proof for retaining a particular governmental 
power should be on the executive, to explain (a) that the power actually materially 
enhances security and (b) that there is adequate supervision of the executive’s use of 
the powers to ensure protection of civil liberties. If the power is granted, there must 
be adequate guidelines and oversight to properly confine its use.” The Commission 
also called for creation of a board within the executive branch “to oversee adherence 
to the guidelines we recommend and the commitment the government makes to 
defend our civil liberties.” The commissioners went on to say that “We must find 
ways of reconciling security with liberty, since the success of one helps protect the 
other. The choice between security and liberty is a false choice, as nothing is more 
likely to endanger America’s liberties than the success of a terrorist attack at home. 
Our history has shown us that insecurity threatens liberty. Yet, if our liberties are 
curtailed, we lose the values that we are struggling to defend.” 

The 108 th Congress passed legislation implementing many of the Commission’ s 
recommendations. Called the Intelligence Reform and Terrorism Prevention Act (S . 
2845, P.L. 108-458), Section 1061 creates a Privacy and Civil Liberties Oversight 
Board as part of the Executive Office of the President. According to the bill’s 
sponsor, Senator Collins, the Board’s purpose is to “ensure that privacy and civil 
liberties concerns are appropriately considered in the implementation of all laws, 
regulations, and policies that are related to efforts to protect the Nation against 
terrorism.” 12 It must report to Congress annually on an unclassified basis to the 
greatest extent possible. It will be composed of five members, two of which (the 
chairman and vice-chairman) must be confirmed by the Senate. All must come from 
outside the government to help ensure their independence. 

National Journal reported on January 13, 2006 that although the five members 
of the Board have been appointed, the chairman and vice chairman have not yet been 



11 National Commission on Terrorist Attacks Upon the United States. The 9/11 
Commission Report. 585 p. [http://www.9-llcommission.gov/report/911Report.pdf]. 

12 Congressional Record , December 8, 2004, p. SI 1974. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-10 



confirmed by the Senate. 13 An August 2005 Reuters report cited critics (including 
a former 9/11 Commissioner, Members of the House and Senate, and others) as 
concluding that the panel is a “toothless, underfunded shell with inadequate support” 
from the President. 14 

H.R. 1310 (Maloney) was introduced in the first session of the 109 th Congress 
to make a number of changes, including establishing the Board as an independent 
agency in the executive branch, instead of part of the Executive Office of the 
President; setting out certain qualifications for Board members; and requiring that all 
of the Board members be confirmed by the Senate, not just the chairman and vice- 
chairman. There was no legislative action on the bill during the first session. As 
with debate over the USA PATRIOT Act, this discussion may be influenced by the 
controversy over warrantless searches (see above). 

Government Access to Search Engine Data (e.g. Google). In January 
2006, Internet search engine company Google indicated that it was resisting a Justice 
Department subpoena requiring the company to provide the government with data on 
searches made by users. 15 The Justice Department reportedly is seeking the data to 
help it in a court case to uphold the Child Online Protection Act (COPA), which was 
enacted to protect children using the Internet from objectionable material such as 
pornography. 16 According to various media reports, other search engine companies, 
including Yahoo!, MSN, and America Online, did comply with the government’s 
request. Although much of the publicity focused on the extent to which the privacy 
of Internet users would be undermined if the government could access such data, 
some observers pointed out that the data are anonymous, and Google’s response 
might be stimulated more by business concerns (e.g., revealing proprietary 
information) than privacy concerns. 17 Nevertheless, public response suggests that 
some consumers now worry about what search terms they use, lest the government 
track their activities and draw erroneous conclusions. 18 



13 Friel, Brian. Civil Liberties Board Has Yet To Get Off the Ground. National Journal, 

January 13, 2006. Available on the govexec.com website at 

[http://www.govexec.com/story_page.cfm?articleid=33176&dcn=todaysnews] 

14 Drees, Caroline. “U.S. Civil Liberties Board Struggles Into Existence.” Reuters, August 
4,2005, 12:33 (via Factiva). 

15 Delaney, Kevin. Google to Buck U.S. on Data Request — Firm Resists Agency’s Efforts 
to Obtain Scaled-Back List of Web Sites, Search Queries. Wall Street Journal, January 20, 
2006, p. A3 (via Factiva). 

16 For a discussion of COPA, see CRS Report RS21328, Internet: Status of Legislative 
Attempts to Protect Children from Unsuitable Material on the Web , by Marcia S. Smith. 

17 Liptak, Adam. In Case About Google’s Secrets, Yours Are Safe. New York Times, 
January 26, 2006, p. 1 (via Factiva). 

18 Hafner, Katie. After Subpoenas, Internet Searches Give Some Pause. New York Times, 
January 25, 2006, p. 1 (via Factiva). 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-11 



By Employers 

There also is concern about the extent to which employers monitor the e-mail 
and other computer activities of employees. The public policy concern appears to be 
not whether companies should be able to monitor activity, but whether they should 
notify their employees of that monitoring. A 2005 survey of 526 companies by the 
American Management Association and the ePolicy Institute found that 76% monitor 
Web usage, and 55% retain and review e-mail messages. 19 The survey found that 
26% of the companies had fired employees for misusing the Internet, and 25% had 
fired workers for e-mail misuse. Regarding notice, the survey reported that 80% of 
the companies inform workers that they are monitoring content, keystrokes, and time 
spent at the keyboard; 82% inform workers that computer files are stored and 
reviewed; 86% inform workers that e-mail is monitored; and 89% inform workers 
that Web usage is tracked. One criticism is that top level employees may not be 
subject to the same monitoring as rank and file workers. 20 

By E-Mail Service Providers: The “Councilman Case” 

In what is widely-regarded as a landmark ruling concerning Internet privacy, the 
U.S. Court of Appeals for the First Circuit in Massachusetts ruled (2-1) on June 29, 
2004 that an e-mail service provider did not violate federal wiretapping statutes when 
it intercepted and read subscribers’ e-mails to obtain a competitive business 
advantage. The ruling upheld the decision of a lower court to dismiss the case. 

The case involved an e-mail service provider, Interloc, Inc., that sold out-of- 
print books. According to press accounts 21 and the text of the court’s ruling, 22 
Interloc used software code to intercept and copy e-mail messages sent to its 
subscribers (who were dealers looking for buyers of rare and out-of-print books) by 
competitor Amazon.com. The e-mail was intercepted and copied prior to its delivery 
to the recipient so that Interloc officials could read the e-mails and obtain a 
competitive advantage over Amazon.com. Interloc Vice President Bradford 
Councilman was charged with violating the Wiretap Act. 23 The court’s majority 



19 American Management Association. “2005 Electronic Monitoring & Surveillance 
Survey.” Press Release, May 18, 2005. 
[http://www.amanet.org/press/amanews/ems05.htm], 

20 Sandberg, Jared. “Monitoring of Workers is Boss’s Right But Why Not Include Top 
Brass?,” Wall Street Journal, May 18, 2005, p. B1 (via Factiva). 

21 ( 1) Jewell, Mark. “Interception of E-Mail Raises Questions.” Associated Press, June 30, 
2004,9:14 pm. (2) Zetter, Kim. “E-Mail Snooping Ruled Permissible.” Wired News, June 
30, 2004, 08:40. (3) Krim, Jonathan. “Court Limits Privacy of E-Mail Messages; Providers 
Free to Monitor Communications.” Washington Post, July 1, 2004, El (via Factiva). 

22 U.S. v. Bradford C. Councilman. U.S. Court of Appeals for the First Circuit. No. 03-1383. 
[http ://www .c a 1 . uscourts . gov/pdf . opinions/03 -1383 -01A .pdf] . 

23 The Wiretap Act, 18 U.S.C. §§ 2510-2522, is Title I of the Electronic Communications 
Privacy Act (ECPA), P.L. 99-508. According to Jewell, op. cit., two other defendants — 
Alibris, which bought Interloc in 1998, and Interloc’s systems administrator — pleaded 

(continued...) 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-12 



opinion noted that the parties stipulated that, at all times that the Interloc software 
was performing operations on the e-mails, they existed in the random access memory 
or in hard drives within Interloc’ s computer system. 

The case turned on the distinction between the e-mail being in transit, or in 
storage (and therefore governed by a different law 24 ). The government argued that 
the e-mails were copied contemporaneously with their transmission, and therefore 
were intercepted under the meaning of the Wiretap Act. Judges Torruella and Cyr 
concluded, however, that they were in temporary storage in Interloc’ s computer 
system, and therefore were not subject to the provisions of the Wiretap Act. They 
further stated that “We believe that the language of the statute makes clear that 
Congress meant to give lesser protection to electronic communications than wire and 
oral communication. Moreover, at this juncture, much of the protection may have 
been eviscerated by the realities of modern technology.... However, it is not the 
province of this court to graft meaning onto the statute where Congress has spoken 
plainly.” (p. 14-15). In his dissent, Judge Lipez stated, conversely, that he did not 
believe Congress intended for e-mail that is temporarily stored as part of the 
transmission process to have less privacy than messages as they are in transit. He 
agreed with the government’s contention that an “intercept” occurs between the time 
the author hits the “send” button and the message arrives in the recipient’s in-box. 
He concluded that “Councilman’s approach to the Wiretap Act would undo decades 
of practice and precedent ... and would essentially render the act irrelevant.... Since 
I find it inconceivable that Congress could have intended such a result merely by 
omitting the term ‘electronic storage’ from its definition of ‘electronic 
communication,’ I respectfully dissent.” 25 

Privacy advocates expressed deep concern about the ruling. Electronic Frontier 
Foundation (EFF) attorney Kevin Bankston stated that the court had “effectively 
given Internet communications providers free rein to invade the privacy of their users 
for any reason and at any time.” 26 The five major ISPs (AOF, Earthlink, Microsoft, 
Comcast, and Yahoo) all reportedly have policies governing their terms of service 
that state that they do not read subscribers’ e-mail or disclose personal information 
unless required to do so by law enforcement agencies. 27 The U.S. Department of 
Justice appealed the court’s decision; and several civil liberties filed a “friend of the 
court” brief in support of the government’ s appeal. In August 2005, the First Circuit 
Court of Appeals overturned the lower court’s decision 5-2. 28 



23 (...continued) 
guilty. 

24 Stored communications are covered by the Stored Communications Act, which is Title II 
of ECPA, 18 U.S.C.§§ 2701-2711. 

25 U.S. v. Bradford C. Councilman, p. 53. 

26 Online Privacy “Eviscerated” by First Circuit Decision. June 29, 2004. 
[http://www.eff.Org/news/archives/2004_06.php#00 1658]. 

27 Krim, op. cit. 

28 McCullagh, Declan. “E-mail Wiretap Case Can Proceed, Court Says.” clnet News.com, 

(continued...) 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-13 



Two bills were introduced in the 108 lh Congress that would have affected this 
debate by amending either the Wiretap Act or the Stored Communications Act. 
There was no action on either bill. 

In the first session of the 109 th Congress, H.R. 3503/S. 936 were introduced to 
amend the Wiretap Act to clarify that it applies “contemporaneous with transit, or on 
an ongoing basis during transit, through the use of any electronic, mechanical, or 
other device or process, notwithstanding that the communication may simultaneously 
be in electronic storage.” There was no action on the bills in 2005. 



Spyware 

Spyware is discussed in more detail in CRS Report RL32706, Spyware: 
Background and Policy Issues for Congress , by Marcia Smith. The term “spyware” 
is not well defined. One example of spyware is software products that include, as 
part of the software itself, a method by which information is collected about the use 
of the computer on which the software is installed. Some products may collect 
personally identifiable information (PII). When the computer is connected to the 
Internet, the software periodically relays the information back to the software 
manufacturer or a marketing company. Some software traces a user’s Web activity 
and causes advertisements to suddenly appear on the user’s monitor — called “pop- 
up” ads — in response. Such software is called “adware,” and one aspect of the 
spyware debate is whether adware should be included in the definition of spyware. 
Software programs that include spyware can be sold or provided for free, on a disk 
(or other media) or downloaded from the Internet. Typically, users have no 
knowledge that spyware is on their computers. 

A central point of the debate is whether new laws are needed, or if industry self- 
regulation, coupled with enforcement actions under existing laws such as the Federal 
Trade Commission Act, is sufficient. The lack of a precise definition for spyware is 
cited as a fundamental problem in attempting to write new laws. FTC representatives 
and others caution that new legislation could have unintended consequences, barring 
current or future technologies that might, in fact, have beneficial uses. They further 
insist that, if legal action is necessary, existing laws provide sufficient authority. 
Consumer concern about control of their computers being taken over by spyware 
leads others to conclude that legislative action is needed. 

Utah and California have passed spyware laws, but there is no specific federal 
law regarding spyware. In the 108 th Congress, the House passed two bills (H.R. 2929 
and H.R. 4661) and the Senate Commerce Committee reported S. 2145. There was 
no further action. 

Two bills passed the House in the first session of the 109 th Congress : H.R. 29 
(Bono) and H.R. 744 (Goodlatte). Two bills specific to spyware were introduced in 
the Senate: S. 687 (Bums-Wyden), and S. 1004 (Allen). A Senate Commerce 



28 (...continued) 

August 11, 2005, 14:30:00 PDT. 





http://wikileaks.org/wiki/CRS-RL31408 



CRS-14 



Committee hearing on S. 687 was held on May 11, 2005. On November 17, 2005, 
the committee ordered reported S. 687, and defeated S. 1004, with committee 
Chairman Stevens reportedly saying that he hoped a compromise could be reached 
before the issue was debated on the floor. 29 Meanwhile, the FTC endorsed a 
different bill, S. 1608, at a hearing before a Senate Commerce subcommittee on 
October 5, 2005. That bill deals not only with spyware, but with other Internet- 
related fraud, including spam. Its focus is enhancing the FTC’s ability to investigate 
and prosecute perpetrators who are located abroad or who use foreign intermediaries. 
For more information, see CRS Report RL32706, Spyware: Background and Policy 
Issues for Congress, by Marcia Smith. 



Identity Theft (Including Phishing and Pharming) 

Identity theft is not an Internet privacy issue, but the perception that the Internet 
makes identity theft easier means that it is often discussed in the Internet privacy 
context. The concern is that the widespread use of computers for storing and 
transmitting information is contributing to the rising rate of identity theft over the 
past several years, where one individual assumes the identity of another using 
personal information such as credit card and Social Security numbers (SSNs). The 
FTC has a toll free number (877-ID-THEFT) to help victims. 30 

The extent to which the Internet is responsible for the increase in cases is 
debatable. Some attribute the rise instead to carelessness by businesses in handling 
personally identifiable information, and by credit issuers that grant credit without 
proper checks. More traditional methods of acquiring someone’s personal 
information — from lost or stolen wallets, or “dumpster diving” — also are used by 
identity thieves. Three high profile incidents that became public in early 2005 where 
the security of consumer PH was compromised reinforced existing fears about 
identity theft. The companies involved are ChoicePoint, Bank of America, and 
LexisNexis. These incidents are described in CRS Report RS22082, Identity Theft: 
The Internet Connection, by Marcia Smith. 

Identity Theft Statistics 

In a 2003 survey for the FTC, Synovate found that 51% of victims knew how 
their personal information was obtained by the thief: 14% said their information was 
obtained from lost or stolen wallets, checkbooks, or credit cards; 13% said the 
personal information was obtained during a transaction; 4% cited stolen mail; and 



29 Stables, Eleanor. Panel Approves Slew of Transportation, Spyware and Other Bills in 
Markup. CQ.com, November 17, 2005. 

30 See also CRS Report RL3 19 19, Remedies Available to Victims of Identity Theft, and CRS 
Report RS2 1083, Identity Theft and the Fair Credit Reporting Act: cm Analysis of TRW v. 
Andrews and Current Legislation, both by Angie Welborn. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-15 



14% said the thief used “other” means (e.g. the information was misused by someone 
who had access to it such as a family member or workplace associate). 31 

Another survey, conducted by the Council of Better Business Bureaus and 
Javelin Strategy & Research, was released in January 2005. 32 The 2005 Identity 
Fraud Survey is based on data collected in 2004 by Synovate using questions that 
closely mirrored those used in the 2003 FTC survey, plus several new questions. The 
survey found that computer crime accounted for 11.6% of identity theft cases in 
2004, compared with 68% from paper sources. It further found that the average loss 
for online identity theft was $55 1 compared to $4,543 from paper sources. In cases 
where the perpetrator could be identified, family members were responsible for 32% 
of cases; complete strangers outside the workplace for 24%; friends, neighbors, and 
in-home employees for 18%; someone at a company with access to personal 
information for 13%; someone at the victim’s workplace for 4%; or “someone else” 
for 8%. The study concluded that, contrary to popular perception, identity theft is 
not getting worse. For example, it reported that the number of victims declined from 
10.1 million in 2003 to 9.3 million in 2004, and the annual dollar volume, adjusted 
for inflation, is “highly similar” ($52.6 billion) in the 2003 survey and this survey. 

On January 25, 2006, the FTC released its most recent data about the top ten 
consumer fraud complaints. 33 Identity theft represented 37% of the 686,683 
complaints filed with the FTC in 2005. Although the total number of ID theft 
complaints was higher than in the two previous years (255,565 in 2005 compared 
with 246,847 in 2004 and 215,177 in 2004), as apercentage of complaints filed with 
the FTC, the 2005 figure was less (37% in 2005 compared with 38% in 2004 and 
40% in 2003). Credit card fraud was identified as the most common form of identity 
theft (26%), compared with phone or utilities fraud (18%), bank fraud (17%), 
employment fraud (12%), government documents/benefits fraud (9%), and loan fraud 
(5%). 

“Phishing” and “Pharming” 

One method used to obtain PII is called “phishing.” It refers to an Internet- 
based practice in which someone misrepresents their identity or authority in order to 
induce another person to provide PII. Some common phishing scams involve e-mails 
that purport to be from financial institutions or ISPs claiming that a person’s record 
has been lost. The e-mail directs the person to a website that mimics the legitimate 
business’ website and asks the person to enter a credit card number and other PII so 



31 Synovate. “ Federal Trade Commission — Identity Theft Survey Report.” September 
2003. pp. 30-31. [http://www.ftc.gov/opa/2003/09/idtheft.htm] 

32 An abbreviated “complimentary” version of the report is available at 
[http://www.j avelinstrategy.com/reports/2005IdentityFraudSurveyReport. html] . A Better 
Business Bureau press release is at [http://www.bbb. org/alerts/article.asp?ID=565]. The 
survey was sponsored Checkfree, Visa, and Wells Fargo & Company, but the report 
emphasizes that although those companies were invited to comment on the content of the 
questionnaire, they were not involved in the tabulation, analysis, or reporting of final results. 

33 FTC. Consumer Fraud and Identity Theft Complaint Data: January - December 2005. 
[http://www.consumer.gov/sentinel/pubs/Topl0Fraud2005.pdf]. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-16 



the record can be restored. In fact, the e-mail or website is controlled by a third party 
who is attempting to extract information that will be used in identity theft or other 
crimes. The FTC issued a consumer alert on phishing in June 2004. 34 An “Anti- 
Phishing Working Group” industry association has been established to collectively 
work on solutions to phishing [http://www.antiphishing.org/]. 

A version of phishing, dubbed “pharming,” involves fraudulent use of domain 
names. 35 In pharming, hackers hijack a legitimate website’s domain name, and 
redirect traffic intended for that website to their own. The computer user sees the 
intended website’s address in the browser’s address line, but instead, he or she is 
connected to the hacker’s site and may unknowingly provide PII to the hacker. 36 

Existing Laws 

The FTC enforces three federal laws that restrict disclosure of consumer 
information and require companies to ensure the security and integrity of the data in 
certain contexts — Section 5 of the Federal Trade Commission Act, the Fair Credit 
Reporting Act (FCRA), and Title V of the Gramm-Leach-Bliley Act. FTC 
Chairwoman Deborah Platt Majoras summarized these laws as they pertain to 
identity theft at a March 10, 2005 hearing before the Senate Committee on Banking, 
Housing, and Urban Affairs. 37 She identified two other laws that are not enforced by 
the FTC, but which also restrict the disclosure of certain types of information: the 
Driver’s Privacy Protection Act, and the Health Insurance Portability and 
Accountability Act. 

Congress also has passed laws specifically regarding identity theft: the 1998 
Identity Theft and Assumption Deterrence Act; the 2003 Fair and Accurate Credit 
Transactions (FACT) Act; and the 2004 Identity Theft Penalty Enhancement Act. 
Those laws are summarized in CRS Report RL3 1919, Remedies Available to Victims 
of Identity Theft , by Angie Welborn. Briefly, the Identity Theft and Assumption 
Deterrence Act (P.L. 105-3 18) directed the FTC to establish a central repository for 
identity theft complaints, and provide victim assistance and consumer education. 

The FACT Act (P.L. 108-159) contains perhaps the most comprehensive 
identity theft provisions in federal law. Implementation of that act is discussed in 
CRS Report RL32535. Implementation of the Fair and Accurate Credit Transactions 
(FACT) Act, by Angie Welborn. Among its identity theft-related provisions, the law: 



34 FTC. “How Not to Get Hooked by a ‘Phishing” Scam.” June 2004. [http://www.ftc.gov/ 
bcp/conline/pubs/alerts/phishingalrt.pdf]. 

35 For more on domain names, and the DNS, see CRS Report 97-868, Internet Domain 
Names: Background and Policy Issues, by Lennard G. Kruger. 

36 For more on pharming, see, for example, Delio, Michelle. “Pharming Out-Scams 
Phishing.” March 14, 2005 

[http://www.wired.eom/news/infostructure/0, 1377, 66853.00.html]. 

37 Available at [http://banking.senate.gov/_files/majoras.pdf]. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-17 



• requires consumer reporting agencies (CRAs) to follow certain 
procedures concerning when to place, and what to do in response to, 
fraud alerts on consumers’ credit files; 

• allows consumers one free copy of their consumer report each year 
from nationwide CRAs as long as the consumer requests it through 
a centralized source under rules to be established by the FTC; 38 

• allows consumers one free copy of their consumer report each year 
from nationwide specialty CRAs (medical records or payments, 
residential or tenant history, check writing history, employment 
history, and insurance claims) upon request pursuant to regulations 
to be established by the FTC; 

• requires credit card issuers to follow certain procedures if additional 
cards are requested within 30 days of a change of address 
notification for the same account; 

• requires the truncation of credit card numbers on electronically 
printed receipts; 

• requires business entities to provide records evidencing transactions 
alleged to be the result of identity theft to the victim and to law 
enforcement agencies authorized by the victim to take receipt of the 
records in question; 

• requires CRAs to block the reporting of information in a consumer’ s 
file that resulted from identity theft and to notify the furnisher of the 
information in question that it may be the result of identity theft; 

• requires federal banking agencies, the FTC, and the National Credit 
Union Administration to jointly develop guidelines for use by 
financial institutions, creditors and other users of consumer reports 
regarding identity theft; and 

• extends the statute of limitations for when identity theft cases can be 
brought. 

The Identity Theft Penalty Enhancement Act (P.L. 108-275) makes aggravated 
identity theft in conjunction with felonies a crime, and establishes mandatory 
sentences — two additional years beyond the penalty for the underlying crime, or five 
additional years for those who steal identities in conjunction with a terrorist act. 39 



38 The FTC rules on free credit reports were issued on June 4, 2004 and are available at 
[http://www.ftc.gov/opa/2004/06/freeannual.htm]. 

39 “Senate Clears Tougher Penalties for Identity Theft in Conjunction with Felony.” CQ 
Weekly, June 26, 2004, p. 1561. 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-18 



At the March 10, 2005 Senate Banking Committee hearing, 40 FTC Chairwoman 
Majoras discussed the”complicated maze” of laws that governs consumer data, 
noting whether particular legal provisions apply depends on the type of company or 
institution involved, the type of data collected or sold, and the purpose for which it 
will be used. She conceded that it is not clear if data brokers like ChoicePoint come 
under the FTC’s jurisdiction, and concluded that additional legislation may be 
necessary, particularly regarding notice and security. A witness from the Secret 
Service also testified about his agency’s jurisdiction over identity theft crimes. 

Legislation in the 109 th Congress, 1 st Session 

Congress continues to consider ways to reduce the incidence of identity theft. 
Legislative approaches include strengthening penalties for identity theft or for the 
misuse of SSNs; 41 increasing regulation of data brokers, such as by requiring them 
to notify individuals whose PII has been breached, or to obtain a consumer’s consent 
before selling PE; limiting the use of SSNs or allowing individuals to choose an 
identifier other than their SSN for Medicare purposes, for example; or making 
phishing unlawful. 

Despite the widespread attention to these issues, and the introduction of many 
bills, no legislation to further address identity theft or to regulate data brokers passed 
during the first session of the 109 th Congress. Four bills were acted upon in 
committee or subcommittee, however (H.R. 4127, S. 1326, S. 1408, and S. 1789). 
According to the Wall Street Journal , legislative action stalled because of differing 
views among the various stakeholders in the debate. 

Consumer groups are pushing for credit protections that financial 
institutions oppose. Small banks are arguing with larger ones about who 
picks up the ‘reissuing costs’ when credit or debit cards must be replaced. 

And everyone with a stake in the issue is debating the ‘notification trigger,’ 
specifying what breaches require altering customers. 42 

The markup of H.R. 4127 (Steams) by the House Energy and Commerce 
Subcommittee on Commerce, Trade, and Consumer Protection was spirited, and the 
vote split on party lines. 43 The Senate Judiciary Committee reported S. 1326 
(Sessions) without amendment and without written report on October 20, 2005. By 
contrast, the markup of S. 1789 (Specter) by the same committee on October 27, 



40 The hearing can be viewed on the committee’s website at 
[http://banking.senate.gov/index.cfm?Fuseaction=Hearings.Detail&HearingID=142]. 

41 For more on Social Security numbers, see CRS Report RL30318, The Social Security 
Number: Legal Developments Affecting Its Collection , Disclosure, and Confidentiality, by 
Kathleen S. Swendiman. 

42 Conkey, Christopher. Identity-Theft Bills Stall in Congress. Wall Street Journal, 
November 26, 2005, p. A4 (via Factiva). 

43 Krim, Jonathan. Parties Split on Data-Protection Bill. Washington Post, November 4, 
2005, p. D 4 (via Factiva). 




http://wikileaks.org/wiki/CRS-RL31408 



CRS-19 



2005 involved considerable debate. 44 The Senate Commerce, Science, and 
Transportation Committee reported S. 1408 (Smith), amended, on December 8, 2005 . 
See Table 1 for brief descriptions of the bills and associated report numbers. 

For more on legislative action, see CRS Report RL3 1919, Remedies Available 
to Victims of Identity Theft , by Angie Welborn. 



Summary of Internet Privacy-Related Legislation in 
the 109 th Congress, 1 st Session 

The following table provides summary information on Internet privacy-related 
legislation introduced in the first session of the 109 lh Congress. It should be noted 
that although some bills have similar titles or intents, the details may vary. For 
example, some bills seek to protect “personal information,” while others protect 
“personally identifiable information” (PII). Some concern “data,” while others 
concern “electronic data.” Definitions may vary, or, in some cases, the FTC is 
directed to determine a definition. 



Table 1. Bills Introduced in the 109 th Congress, 1 st Session 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


Internet Privacy General 


H.R. 84 

(Frelinghuysen) 


Online Privacy Protection Act. Requires the FTC to prescribe 
regulations to protect the privacy of personal information collected 
from and about individuals not covered by COPPA. (Energy & 
Commerce) 


H.R. 1263 

(Stearns) 


Consumer Privacy Protection Act. Broad consumer privacy bill 
including provisions related to identity theft, regulation of “data 
collection organizations,” and a study of the impact on U.S. 
interstate and foreign commerce of privacy laws, etc., adopted by 
other countries. (Energy & Commerce, International Relations) 


H.R. 1310 

(Maloney) 


Protection of Civil Liberties Act. Inter alia, makes the Privacy 
and Civil Liberties Oversight Board an independent agency, instead 
of part of the Executive Office of the President, and specifies certain 
qualifications for Board members and requires they be confirmed by 
the Senate. (Government Reform, Judiciary, Homeland Security, 
Intelligence) 


H.R. 1526 

(Otter) 


Security and Freedom Ensured Act (SAFE Act). Inter alia, 
makes Section 216 of the USA PATRIOT Act subject to the sunset 
date. (Judiciary, Intelligence) 



44 



Ibid. 









http://wikileaks.org/wiki/CRS-RL31408 



CRS-20 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


H.R. 3058 

(Knollenberg) 

P.L. 109-115 


FY2006 Transportation-Treasury Appropriations. Continues 
language in previous appropriations bills prohibiting federal 
websites from collecting data about visitors to those websites. 
Section 933 in House version (passed House June 30. 2005); Section 
831 in Senate version (passed Senate October 20, 2005). Sec. 832 
in final version, signed into law on November 30, 2005. 


H.R. 3199 

(Sensenbrenner) 

S. 1389 

(Specter) 


USA Patriot and Terrorism Prevention Reauthorization Act. 

Inter alia, House version repeals the sunset provision of USA 
PATRIOT Act, meaning that none of the sections would expire. 
Senate version, inter alia, enhances reporting requirements for 
Section 216. Reported from House Judiciary and Intelligence 
Committees (H.Rept. 109-174, Pt. I and Pt. II) 7/18/2005; passed 
House, amended, July 21, 2005. Passed Senate July 29 after 
substituting the language of S. 1389 as reported from Senate 
Judiciary Committee (no written report) and further amended. 
Conference report (H.Rept. 109-333) adopted House position re 
sunset clause. Passed House December 14, 2005. Senate did not 
pass conference report in the first session of the 109 th Congress. 
Instead, it passed S. 2167, extending the sunset date by six months, 
but the House modified that to five weeks (to February 3, 2006). 
SeeS. 2167. 


H.R. 3503 

(Cannon) 

S. 936 

(Leahy-Sununu) 


E-Mail Privacy Act. Amends the Wiretap Act to clarify that it 
covers e-mail that is temporarily stored in transit (in response to the 
Councilman case). (House Judiciary; Senate Judiciary) 


S. 737 

(Craig) 


Security and Freedom Ensured Act (SAFE Act). Inter alia, sets 
additional requirements regarding use of authorities under Section 
2 16 of the USA PATRIOT Act. (Judiciary) 


S. 2082 

(Sununu) 


To extend the sunset provisions of the USA PATRIOT Act and 
other purposes. Would extend the sunset provisions to March 3 1 , 
2006. (Judiciary) 


S. 2167 

(Sununu) 

P.L. 109-160 


Extends the sunset date for certain provisions of the USA PATRIOT 
Act. See also H.R. 3199. The Senate passed S. 2167 on Dec. 21, 

2005, extending the sunset date for six months. The House amended 
S. 2167 to extend the sunset date only for five weeks, to February 3, 

2006, to ensure Congress would resume debate early in the second 
session. The Senate agreed with the House amendment on Dec. 22, 
2005. Signed into law December 30, 2005. 


Spyware 


H.R. 29 

(Bono) 


Spy Act. Requires the FTC to prescribe regulations prohibiting the 
transmission of spyware programs via the Internet to computers 
without the user’s consent, and notification to the user that the 
program will be used to collect PII; makes phishing unlawful. 

Reported from House Energy and Commerce Committee 
(H.Rept. 109-32); passed House May 23, 2005. 




















http://wikileaks.org/wiki/CRS-RL31408 



CRS-21 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


H.R. 744 

(Goodlatte) 


Internet Spyware (I-SPY) Prevention Act. Sets criminal penalties 
for certain spyware practices. Reported from House Judiciary 
Committee (H.Rept. 109-93); passed House May 23, 2005. 


S. 687 

(Burns-Wyden) 


SPY BLOCK Act. Broad anti-spyware bill. Ordered reported 
from Senate Commerce Committee, November 17, 2005. 


S. 1004 

(Allen) 


Enhanced Consumer Protection Against Spyware Act. To 

provide the FTC with the resources necessary to protect Internet 
users from spyware. (Commerce) 


S. 1608 

(Smith) 


Undertaking Spam, Spyware, and Fraud Enforcement With 
Enforcers Beyond Borders (U.S. SAFE WEB) Act. To enhance 
FTC enforcement against spyware and other Internet-related fraud 
(including spam), focusing on cross-border fraud and deception. 

Ordered reported from Senate Commerce Committee December 
15, 2005. 


Identity theft/proteeting SSNs and other PII 


H.R. 82 

(Frelinghuysen) 


Social Security On-line Privacy Protection Act. Regulates the use 
by interactive computer services of SSNs and related PII. (Energy 
and Commerce) 


H.R. 92 

(Frelinghuysen) 


Permits Medicare beneficiaries to use an identification number other 
than their SSN in order to deter identity theft. (Ways and Means, 
Energy and Commerce) 


H.R. 220 

(Paul) 


Identity Theft Prevention Act. Protects the integrity and 
confidentiality of SSNs, prohibits the establishment of a uniform 
national identifying number, and prohibits federal agencies from 
imposing standards of identification for individuals on other 
agencies or persons. (Ways & Means, Government Reform) 


H.R. 1069 

(Bean) 


Notification of Risk to Personal Data Act.* Requires federal 
agencies, and persons engaged in interstate commerce, in possession 
of electronic data containing personal information, to disclose any 
unauthorized acquisition of such information; requires financial 
institutions to disclose to customers and consumer reporting 
agencies any unauthorized access to personal information; and 
requires consumer reporting agencies to implement fraud alerts 
under certain circumstances. (Energy & Commerce, Government 
Reform, Financial Services) 


H.R. 1078 

(Markey) 


Social Security Number Protection Act. Regulates the sale and 
purchase of SSNs. (Energy & Commerce, Ways & Means) 


H.R. 1080 

(Markey) 


Information Protection and Security Act. Regulates the conduct 
of information brokers and the protection of PII held by them. 
(Energy & Commerce) 


H.R. 1099 

(Hooley) 


Anti-Phishing Act. Criminalizes phishing. (Judiciary) 





























http://wikileaks.org/wiki/CRS-RL31408 



CRS-22 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


H.R. 1653 

(Markey) 

S. 810 

(Clinton) 


Safeguarding Americans from Exporting Identification Data 
(SAFE-ID) Act. Allows U.S. business entities to transmit PII of 
U.S. citizens to foreign affiliates or subcontractors in another 
country if that country has adequate privacy protections and the 
citizen has been given prior notice and not opted-out; and prohibits 
them from transmitting PII to foreign affiliates or subcontractors in 
a country without adequate privacy protections unless the U.S. 
citizen has opted-in. (House Energy & Commerce; Senate 
Judiciary) 


H.R. 1745 

(Shaw) 


Social Security Number and Identity Theft Prevention Act. To 

enhance SSN protections, prevent fraudulent misuse of SSNs, and 
otherwise enhance protection against identity theft. (Ways & 
Means) 


H.R. 3140 

(Bean) 


Consumer Data Security and Notification Act. To regulate 
information brokers, enhance information security requirements for 
consumer reporting agencies and information brokers, and require 
consumer reporting agencies, financial institutions, and other 
entities to notify consumers of data security breaches involving 
sensitive consumer information. (Financial Services) 


H.R. 3374 

(LaTourette) 


Consumer Notification and Financial Data Protection Act. To 

provide for the uniform and timely notification of consumers whose 
sensitive financial personal information has been placed at risk by 
a breach of data security, to enhance data security safeguards, and 
to provide appropriate consumer mitigation services. (Financial 
Services) 


H.R. 3375 

(Pryce) 


Financial Data Security Act. To amend the Fair Credit Reporting 
Act to provide for secure financial data. (Financial Services) 


H.R. 3501 

(Carson) 


Consumer Access Rights Defense Act. To require financial 
institutions and financial service providers to notify customers of the 
unauthorized use of personal financial information. (Energy & 
Commerce, Government Reform, Financial Services) 


H.R. 3804 

(McCarthy) 


Identity Theft Relief Act. To allow a 100% deduction for expenses 
related to a “qualified identity theft” (as defined in the act) on 
federal tax returns. (Ways and Means) 


H.R. 3997 

(LaTourette) 


Financial Data Protection Act. To amend the Fair Credit 
Reporting Act to provide for secure financial data. (Financial 
Services) 


H.R. 4127 

(Stearns) 


Data Accountability and Trust Act (DATA). Requires reasonable 
security policies and procedures to protect computerized data 
containing personal information and provide for nationwide notice 
of security breaches. (Energy and Commerce) Subcommittee 
markup November 3, 2005. 
























http://wikileaks.org/wiki/CRS-RL31408 



CRS-23 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


H.R. 4244 

(Hooley) 


Regional ID Theft Task Force Act. Provides grants for regional 
task forces to more effectively investigate and prosecute identity 
theft and other economic crimes. (Judiciary) 


S. 29 

(Feinstein) 


Social Security Misuse Prevention Act. Limits the misuse of 
SSNs and establishes criminal penalties for such misuse. 
(Judiciary) 


S. 115 

(Feinstein) 


Notification of Risk to Personal Data Act.* Requires federal 
agencies, and persons engaged in interstate commerce, in possession 
of electronic data containing personal information, to disclose any 
unauthorized acquisition of such information. (Judiciary) 


S. 116 

(Feinstein) 


Privacy Act of 2005. Requires the consent of an individual prior to 
the sale and marketing of the individual’s Pll. (Judiciary) 


S. 472 

(Leahy) 


Anti-Phishing Act. Criminalizes phishing. (Judiciary) 


S. 500 

(Bill Nelson) 


Information Protection and Security Act. Regulates information 
brokers and protects individual rights to Pll. (Commerce) 


S. 751 

(Feinstein) 


Notification of Risk to Personal Data Act.* Requires federal 
agencies, and persons engaged in interstate commerce, in possession 
of data containing personal information to disclose any unauthorized 
acquisition of such information. (Commerce) 


S. 768 

(Schumer) 


Comprehensive Identity Theft Prevention Act. Broad identity 
theft prevention bill, including protecting SSNs, assistance to 
victims, coordinating international action against identity theft, 
notification of information breaches, and establishing an Office of 
Identity Theft at the FTC. (Commerce) 


S. 1326 

(Sessions) 


Notification of Risk to Personal Data Act. Requires federal 
agencies and persons in possession of computerized data containing 
sensitive personal information to disclose security breaches if it 
poses a significant risk of identity theft. Reported from Senate 
Judiciary Committee without amendment and without written 
report October 20, 2005. 


S. 1332 

(Specter) 


Personal Data Privacy and Security Act. To prevent and mitigate 
identity theft, to ensure privacy, and to enhance criminal penalties 
and other protections against security breaches, fraudulent access 
and misuse of Pll. Read the second time and placed on the 
legislative calendar July 1. 


S. 1336 

(Pryor) 


Consumer Identity Protection and Security Act. To establish 
procedures for the protection of consumers from misuse or 
unauthorized access to sensitive personal information contained in 
private information files maintained by commercial entities engaged 
in or affecting interstate commerce and provide for their 
enforcement by the FTC. (Commerce) 




























http://wikileaks.org/wiki/CRS-RL31408 



CRS-24 



Bill (Sponsor) 


Summary, Committee(s) of Referral, and 
Status as of January 26, 2006 


S. 1408 

(Smith) 


Identity Theft Protection Act. Strengthens data protection and 
safeguards, requires notification of data breaches, and further 
prevents identity theft. Reported from Senate Commerce 
Committee December 8, 2005 (S.Rept. 109-203). 


S. 1461 

(Shelby) 


Consumer Identity Protection and Security Act. To protect 
consumers from misuse of, and unauthorized access to, sensitive 
personal information contained in private information files 
maintained by commercial entities engaged in, or affecting, 
interstate commerce, and provide for enforcement of those 
procedures by the FTC. (Banking) 


S. 1594 

(Corzine) 


Financial Privacy Protection Act. To require financial services 
providers to maintain customer information security systems and to 
notify customers of unauthorized access to personal information. 
(Banking) 


S. 1789 

(Specter) 


Personal Data Privacy and Security Act. To prevent and mitigate 
identity theft, to ensure privacy, to provide notice of security 
breaches, and to enhance criminal penalties, law enforcement 
assistance, and other protections against security breaches, 
fraudulent access, and misuse of PII. Reported from Senate 
Judiciary Committee without written report November 17, 
2005. 



Source: Prepared by CRS. 

Note: PII = Personally Identifiable Information; SSN = Social Security Number. 
* Although H.R. 1069, S. 1 15, and S. 751 have the same title, each is different. 









http://wikileaks.org/wiki/CRS-RL31408 



CRS-25 



Appendix A. Internet Privacy-Related Legislation 
Passed by the 108 th Congress 



H.R. 2622 

(Bachus) 

P.L. 108-159 


Fair and Accurate Credit Transactions Act. Includes 
several provisions related to identity theft, such as setting 
requirements on consumer reporting agencies and credit card 
issuers, requiring truncation of credit card numbers on 
electronically printed receipts, and extending the statute of 
limitations for when identity theft cases can be brought. 


H.R. 1731 

(Carter) 

P.L. 108-275 


Identity Theft Penalty Enhancement Act. Makes aggravated 
identity theft in conjunction with felonies a crime, and 
establishes mandatory sentences. 


H.R. 4818 

(Kolbe) 

P.L. 108-447 


FY2005 Transportation, Treasury and General 
Government Appropriations Bill (incorporated into the 
FY2005 Consolidated Appropriations Act). Section 633 
continues prohibition on use of appropriated funds to collect 
personal information about visitors to federal websites. 


S. 2845 

(Collins) 

P.L. 108-458 


Intelligence Reform and Terrorism Protection Act. 

Creates Privacy and Civil Liberties Oversight Board. 



Appendix B. Internet Privacy-Related Legislation 
Passed by the 107 th Congress 



H.R. 2458 (Turner)/ 
S. 803 (Lieberman) 

P.L. 107-347 


E-Government Act. Inter alia, sets requirements on 
government agencies in how they assure the privacy of 
personal information in government information systems and 
establish guidelines for privacy policies for federal websites. 


H.R. 5505 

(Armey) 

P.L. 107-296 


Homeland Security Act. Incorporates H.R. 3482, Cyber 
Security Enhancement Act, as Section 225. Loosens 
restrictions on ISPs, set in the USA PATRIOT Act, as to when, 
and to whom, they can voluntarily release information about 
subscribers. 


H.R. 2215 

(Sensenbrenner) 

P.L. 107-273 


21 st Century Department of Justice Authorization Act. 

Requires the Justice Department to notify Congress about its 
use of Carnivore (DCS 1000) or similar Internet monitoring 
systems. 


H.R. 3162 

(Sensenbrenner) 

P.L. 107-56 


USA PATRIOT Act. Expands law enforcement’s authority to 
monitor Internet activities. See CRS Report RL3 1289 for how 
the act affects use of the Internet. Amended by the Homeland 
Security Act (see P.L. 107-296). 




















